HTML and CSS Reference
In-Depth Information
is completely hidden from the application developer. The application developer communicates to the application
server by specifying a security realm. The security realm is configured outside the application, in the application
server. The security realm could specify that the users are located in an SQL database, an LDAP directory, or even a
plain text file. It is the responsibility of the application server to provide security realms. Application servers typically
expose interfaces for developers to implement their own security realms in case you have special requirements for
how the user should log in. You could for example implement a security realm that authenticates against an online
service such as Google or Yahoo. The implementation is custom to the application server but abstracts away how
authentication is handled. This makes the container-based security very flexible and takes away complexity from the
application developer. The application developer configures container-based security in
/WEB-INFO/web.xml
. Listing
11-1 shows an example of container-based security using basic authentication and different resources protected by
different user groups. All JEE-complaint web application servers support the concept of container-managed security
and thereby are portable.
Listing 11-1.
Container-Based Security Configured for a Simple Application with a Couple of Protected Resources
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.1" xmlns="
http://xmlns.jcp.org/xml/ns/javaee
"
xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance
"
xsi:schemaLocation="
http://xmlns.jcp.org/xml/ns/javaee
http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd
">
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>/faces/*</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>faces/index.xhtml</welcome-file>
</welcome-file-list>
<!--
Security Contraints (protection) for the CUSTOMER role.
-->
<security-constraint>
<display-name>Customer Constraints</display-name>
<web-resource-collection>
<web-resource-name>MyAccount</web-resource-name>
<description>Account Pages</description>
<url-pattern>/myaccount/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>CUSTOMER</role-name>
</auth-constraint>
<!--
This section switches the transport from HTTP to HTTPS, thereby
encrypting the traffic between the browser and server.
-->
